This note documents detection patterns related to DCOMExec within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | High | Network authentication to remote host. |
| Security | 4672 | Special privileges assigned | High | Administrative privileges used. |
| Security | 4688 | Process created | Critical | Process executed remotely via DCOM. |
| Sysmon | 1 | Process creation | Critical | cmd.exe or powershell.exe spawned by DCOM host process. |
| Sysmon | 3 | Network connection | Medium | DCOM RPC communication between systems. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Shell spawned by DCOM host | dllhost.exe → cmd.exe / powershell.exe | Critical | Typical DCOMExec chain. |
| RPC traffic between hosts | DCOM communication over TCP 135 / high ports | Medium | Supports execution activity. |
| Remote execution without service creation | No 7045 service event present | High | Differentiates from PsExec. |
Common Tools
| Tool | Usage |
|---|---|
| Impacket dcomexec.py | Remote command execution via DCOM. |
| CrackMapExec | Automates DCOM execution. |
| PowerShell Invoke-Command | Can leverage DCOM internally. |
Relevant Artifacts
- Security logs (4624, 4672, 4688)
- Sysmon process logs
- RPC/DCOM network telemetry
- EDR telemetry
- Prefetch artifacts
MITRE ATT&CK References
- T1021 Remote Services
- T1021.003 Distributed Component Object Model
Decision Tree
- Detect process spawned by dllhost.exe.
- Identify initiating host.
- Validate authentication context.
- Inspect executed command.
- Determine lateral movement scope.
Example Detection Templates
KQL
DeviceProcessEvents
| where InitiatingProcessFileName == "dllhost.exe"
EQL
process where parent.name == "dllhost.exe"
Sigma
title: Suspicious DCOM Execution
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: dllhost.exe
condition: selection
level: high
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| DCOM permissions | Restrict remote DCOM activation | High | Limits remote execution. |
| Monitoring | Alert on dllhost spawning shells | High | Strong detection indicator. |
| Credential hygiene | Limit admin credential reuse | Critical | Prevents lateral movement. |